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(54) Apparatus and method for accessing secured data stored In a portable data carrier 



(57) A portable data carrier includes a secure 
processing element and a co-located directory. A menv 
ory element is substantially separated by the secure 
processing element and disposed within the portable 
data carrier A secure processor command stemming 
from an operator input is then used to access a portion 



of the directory that Includes an address key. The 
address key is then used to de scramble an address In 
the memory element, wNch address k)cation Includes a 
representation of the data record. 
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Description 

Field of the Invention 

The present invention relates generally to a porta- s 
ble data carrier designed for storing large amounts of 
data, and in particular to a method and apparatus for 
accessing secured data stored in such a portable data 
earner. 
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Background of the Invention 

Portable data carriers (e.g., smart cards or chip 
cards) are known to include a plastic substrate in which 
a semiconductor device (i e., integrated circuit~IC) is is 
disposed for retaining digital data. This digital data may 
constitute program instructions, user information, or any 
combination thereof. Moreover, these smart cards are 
known to be operational in a contacted mode, whereby 
an array of contact points disposed on the plastk: sub- 20 
strata and interconnected with the semiconductor 
device is used to exchange electrical signals between 
the chip card an external card reader, or terminal. Simi- 
larly, there exists smart cards that operate in a contact- 
less mode, whereby a radio frequent (RF) receiving 25 
circuit is employed to exchange data between the card 
and a card terminal. That is, the card need not come 
into physical contact with the card terminal In order to 
exchange data therewith, but rather must simply be 
placed within a predetermined range of the terminat. so 

Additionally, there exist smart cards that are alter- 
natively operational in either a contacted mode or a con- 
tactless nrKXte. Such carcte are equipped with both RF 
receiving circuitry (for contactiess operations) as well as 
an array of contact pads (for contacted operatbns). 35 
ThjBse smart cards are commonly referred to as combi- 
nation cards, or oombi-cards. It shoiiki be noted that in 
both tiie contact-only card and the combi-card anange- 
ments, the array of contact pads typically conform to the 
ISO Standard 7816. which standard is incorporated 4o 
herein by reference. 

One of the problems of prior art smart cards Is the 
increasing need for additional memory for tiie storage of 
data records. That is. as the functional capabilities of 
these smart cards increase, so too does the require- 45 
ment for storing data for access by the cardholder. Typ- 
ically, the resident memory on ttie smart card integrated 
circuit (IC) is not large enough to store large amounts of 
data. Of course, mass memory cards (MMCs) are avail- 
able today, and are small enough for use in a smart card so 
application. However, information stored on such a 
stand-alone MMC will not be secure, as these MMCs 
typically do not have the level of security required for 
smart card applications. 

The need for security in a smart card application is ss 
well established, and cardholders insist on having their 
smart card data secure from illicit access. By way of 
exanrple, a cardholder's medical records, bank account 



numbers, aedit irifbmiation, and other valuable pieces 
of data may be stored on the smart card. In fact, stored 
value cards (i e.. cards tiiat can be loaded with one or 
more types of cunency for use by the cardholder in debit 
transactions) may be the best example of the special 
needs for security In smart card applkations. 

Accordingly, tiiere exists a need fa a metiiod and 
apparatus for securely accessing large amounts of data 
stored on a smart card. In particular, a smart card that 
was able to advantageously employ a mass memory 
device, together with a secure access protocol would be 
an improvement over the prkx art 

Brief Description of the Drawings. 

FIG. 1 shows a simplified block diagram of a smart 
card, in accordance with the present invention; 

FIG. 2 shows a graphical representation of the 
secure directory shown in FIQ. 1; ^ 

FIG. 3 shows a graphical representation of a por- 
tion of non-volatile memory, as shown in FIG. 1; 

FIG. 4 shows a flow diagram depicting operation of 
the smart card access metiiod. according to ttie 
present invention; 

FIG. 5 shows a more detailed flow diagram depict- 
ing the record processing metiiod. In accordance 
with the present invention; and 

FIG. 6 shows a memory element tiiat includes 
exemplary data records, in accordance witti tiie 
present invention. 

Detailed Descriptbn a Prefen'ed Embodiment. 

The present invention encompasses a method and 
apparatus for secure access to a memory element that 
is substantially separated from a secure processing ele- 
ment of a smart card. The secure processing element 
includes a directory that is co-located tiierewitii and 
accesses the directory in response to a secure proces- 
sor command. Upon retrieving an address key. tiie 
address key is used to de scramble an address location 
that contains a representation of tiie data record being 
accessed. In ttiis manner, a large, separated memory 
element can be used to securely store data by taking 
advantage of a secure access directory that is co- 
kx^ted with the secure processing element. 

The present invention can be better understood 
with reference to FIGS. 1-6. FIG. 1 shows smart card 
100 that includes a substrate 102 within which is cfis- 
posed a secure processing element 104 and a separate 
mass merrtory element 105. The secure processing ele- 
ment (SPE) 104, which nriay be a semkx>nductor device 
designed for smart card applications, is further co- 
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the data 8crambler/de-8crambler desnce 110. The 
address de-saambler 112 is then used to de scramble 
(504) the memory element address using the address 
decryption key stored in non-volatile memory section 
304 shown in FIG. 3. In a preferred embodiment, the s 
foregoing steps are employed for each type of opera- 
tion, whether they are read, write, or erase operations. 
Similarly, the following steps are taken in response to 
the type of operation requested by the operator, which 
operation has already been authorized. to 

A decision is reached (506) to determine whether 
or not the intended operation is a READ operation. If the 
operation is a READ operation, the scrambled data is 
fetched (508) from the memory location conresponding 
to the address found in the string array. Next, the is 
fetched data Is de-saamUed (510) using the data key 
retrieved (step 502 above) and using the data de- 
scrambler 110. Lastly, the de-saambled data is placed 
(512) onto the data bus for processing by the secure 
processing element 104, before the routine is exited. 20 

If it is determined at step 506 that a READ opera- 
tion is not intended, a decision (51 4) is reached to deter- 
mine whether or not the intended operation is an 
ERASE operatfon. If not, meaning that the intended 
operation is a WRITE operation, data is fetched (516) 25 
from the SPE bus and saambled (51 8) using the appro- 
priate data key. as earlier described. If the intended 
operation is an ERASE operation, NUL data (e.g. all 
zeroes, or all ones) is presented to the memory. In 
either case, the data (scrambled or NUL) is then put 30 
(522) into the memory location corresponding to the de- 
scrambled address, as earlier determined, before the 
routine is exited. In the foregoing manner, records 
stored in memory element 105 can be processed in a 
secure manner by relying on the security features of the 3S 
secure processing element and non-volatile memory 
106 (including the directory 108). 

In order to better illustrate the preferred embodi- 
ment of the invention, an example is provided using 
FIQ. 6 and FIG. 2 as follows: 40 

it is assunred that memory element 105 appears 
generally as illustrated in FIG. 6. and is preferably 512 
bytes wide and 2048 records in length. In this example, 
no data records (which may indicate erased or initialized 
record states) are shown in memory locations 0. 1 , and 45 
2045. Likewise, a "dont care" value ("X") is shown in 
locations 2. 3, 765 and 2047, as these records are not 
accessed in the example given. According to the exanv 
pie, a data record to be accessed is distributed across 
four non-contiguous memory locations. Refen'ing now so 
to FIG. 2, directory location 601 comprises a string 
array that includes address locatfon 5, 764, 4, and 2046 
followed by a NUL value to thereby represent the loca- 
tions in which the desired information is stored. Simi- 
larly, directory location 603 shows the data key value of 55 
05D. As earlier noted the data keys can t>e any size, but 
the exemplary is 4 bytes. 

Refening again to FIG. 6, it is noted that the record 



of interest is stored sequentially in memory locations 
605-608, as shown. Con^espondingly , the sequence of 
these memory locations (i.e., the sequence needed to 
place the full record in proper order) is given in directory 
focation 601 shown in FIG. 2. In particular, a first seg- 
ment of the reoord"REC(1)-HS shown in memory loca- 
tfon 605. Similarly REC(2)-REC(4) are stored in 
menrx>ry locations 606-608. In this manner, a series of 
scrambled address focations can be de-saambled and 
used to retrieve non-contiguous portions of a larger data 
record. These portions can then be concatenated for 
use by the secure processing element (e.g., displayed 
on a terminal) for use by the operator of the smart card. 
This record may be, for example, a medfoal record that 
includes a doctor's name, and the last three visits made 
to the doctor. Lastiy, an access processor 610 is 
included in the memory that is responsive to the control 
signal 1 16 to enat^le and disable the memory element 
1 05. as earlier desaibed. 

Accordingly, tiie present invention allows for a multi- 
tiered security mechanism tiiat can be used in smart 
card applications. Moreover, a mass memory element 
can be advantageou^y employed to store many data 
records in a secure fashion. 

Claims 

1. In a portable data earner that includes a secure 
processing element having a directory that is co- 
located with the secure processing element, the 
portable data canrier furtfier having a memory ele- 
ment that is substantially separated from the secure 
processing element, a method of accessing a data 
record stored In the memory element comprising 
tiie steps of: 

receiving an operation command from a termi- 
nal, which operation command corresponds to 
a secure processor command; 

accessing a portion of the directory using the 
secure processor command to thereby retrieve 
an address key; and 

using the retrieved address key to descramble 
an address in ttie mennory element, to produce 
a descrambled address location that contains a 
representation of the data record. 

2. The method of daim 1, wherein tiie representation 
of the data record comprises a scrambled data 
record, further comprising the steps of: 

retrieving a data key from the directory; and 

using the retrieved data key to desaarrtie the 
scrambled data record. 
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3. The method of claim 2, wherein the retrieved data 
key varies for each of a plurality of errtries in the 
directory. 

4. The method of claim 1 , further comprising the step s 
of determining whether a cardholder is authorized 

to access the data record. 



a first descramt)ler. coupled to receive a toy 
input from the directory; and 

a memory element, located suk)stantially apart 
from the secure processing element, coupled 
to exchange information with the first desaam- 
bier. 



5. The method of claim 5. further comprising the step 

of determining access rights of the cardholder, io 
depending on an intended operation type. 

6. In a portable data carrier that includes a secure 
processing element having a directory that is co- 
located with the secure processing element the is 
portalsle data carrier further having a memory ele- 
ment that is substantially separated from the secure 
processing element, a method of accessing a data 
record stored in the memory element comprising 
the steps of: 20 



11. The portable data carrier of claim 10. wherein the 
first desaambler comprises an address descram- 
t)ler. further comprising a data descrambler, cou- 
pled to exchange data between the memory 
element and the secure processing element 



accepting an operation command from a termi- 
nal, which operation command conresponds to 
a secure processor command; 

accessing a portion of the directory using the 
secure processor command to thereby retrieve 
a data key; and 



using the retrieved data key to descramble a 30 
representation of the data record located in the 
memory elenrienL 



7. The method of claim 6, wherein the representation 

of the data record resides in a scrambled address 35 
location, further comprising the steps of: 

retrieving an address key from a non-volatile 
memory portion of tiie secure processing ele- 
ment; and 40 

using the retrieved address key to descramble 
the saambled address location. 

8. The method of claim 6, further comprising the step 45 
of determining access rights of a cardhoMer. 

9. The metfiod of claim 8, further comprising the step 
of determining whether the cardhoMer is authorized 

to access the data record. so 



10. A portable data carrier, comprising: 



a secure processing element; 

ss 

a directory co-located with the secure process- 
ing element; 
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